Serialization Vulnerability in FasterXML Jackson Databind
CVE-2020-36181

8.1HIGH

Key Information:

Vendor
Netapp
Status
Service Level Manager
Vendor
CVE Published:
6 January 2021

Summary

The FasterXML jackson-databind library prior to version 2.9.10.8 is susceptible to a vulnerability related to the interaction between serialization gadgets and type definitions. This issue can lead to unintended code execution and manipulation of objects during serialization processes utilizing the org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS component, creating potential risks for applications relying on this library.

References

https://cowtowncoder.medium.com/on-jackson-cves-dont-pani...
x_refsource_MISC
https://github.com/FasterXML/jackson-databind/issues/3004
x_refsource_MISC
https://lists.debian.org/debian-lts-announce/2021/04/msg0...
mailing-listx_refsource_MLIST

EPSS Score

6% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2020-36181 : Serialization Vulnerability in FasterXML Jackson Databind | SecurityVulnerability.io